Overview

overview

7

Static

static

3

e4385e5feb...01.exe

windows7-x64

7

e4385e5feb...01.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 02:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

  • Size

    120KB

  • MD5

    479d30cd484920e686388641718edc53

  • SHA1

    c7040a1893168c204c759280d9671b0b58890c8c

  • SHA256

    e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601

  • SHA512

    e499941a4f0f0764ab7493f3f7aa588473409881aa4564a9939cfd60232bd1de672ecfc099d6712fa1eb4da272855f92c95fdf610f688c81894a6258cd3dd51d

  • SSDEEP

    1536:2Wzd3+6aUp+3aTvjgFnbF/nt6z9b1Caom02vrDxcHtcV/erWEUzny94BgJad:z3av3aTvjv9b1Ch30rDxcHtcV/SquI

Score
7/10
collectiondiscoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
    "C:\Users\Admin\AppData\Local\Temp\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2688
        • C:\Windows\system32\timeout.exe
          timeout /t 3
          3⤵
          • Delays execution with timeout.exe
          PID:2700
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2576
        • C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
          "C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2956
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:2452
              • C:\Windows\system32\netsh.exe
                netsh wlan show profiles
                5⤵
                  PID:2460
                • C:\Windows\system32\findstr.exe
                  findstr /R /C:"[ ]:[ ]"
                  5⤵
                    PID:2480
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2628
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    5⤵
                      PID:2540
                    • C:\Windows\system32\netsh.exe
                      netsh wlan show networks mode=bssid
                      5⤵
                        PID:2408
                      • C:\Windows\system32\findstr.exe
                        findstr "SSID BSSID Signal"
                        5⤵
                          PID:348
                • C:\Windows\system32\taskeng.exe
                  taskeng.exe {4A0F9067-C4B3-4082-9F4B-CDD1DB8937F5} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2816
                  • C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
                    C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
                    2⤵
                    • Executes dropped EXE
                    • Accesses Microsoft Outlook profiles
                    • Modifies system certificate store
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • outlook_office_path
                    • outlook_win_path
                    PID:940
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:608
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        4⤵
                          PID:556
                        • C:\Windows\system32\netsh.exe
                          netsh wlan show profiles
                          4⤵
                            PID:2536
                          • C:\Windows\system32\findstr.exe
                            findstr /R /C:"[ ]:[ ]"
                            4⤵
                              PID:2848
                          • C:\Windows\system32\cmd.exe
                            "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1940
                            • C:\Windows\system32\chcp.com
                              chcp 65001
                              4⤵
                                PID:1612
                              • C:\Windows\system32\netsh.exe
                                netsh wlan show networks mode=bssid
                                4⤵
                                  PID:2996
                                • C:\Windows\system32\findstr.exe
                                  findstr "SSID BSSID Signal"
                                  4⤵
                                    PID:3060

                            Network

                            MITRE ATT&CK Matrix ATT&CK v13

                            Initial Access

                            Execution

                            Scheduled Task/Job

                            1
                            T1053

                            Persistence

                            Scheduled Task/Job

                            1
                            T1053

                            Privilege Escalation

                            Scheduled Task/Job

                            1
                            T1053

                            Defense Evasion

                            Subvert Trust Controls

                            1
                            T1553

                            Install Root Certificate

                            1
                            T1553.004

                            Modify Registry

                            1
                            T1112

                            Credential Access

                            Unsecured Credentials

                            2
                            T1552

                            Credentials In Files

                            1
                            T1552.001

                            Credentials in Registry

                            1
                            T1552.002

                            Discovery

                            Query Registry

                            2
                            T1012

                            System Information Discovery

                            1
                            T1082

                            Lateral Movement

                            Collection

                            Data from Local System

                            2
                            T1005

                            Email Collection

                            1
                            T1114

                            Exfiltration

                            Command and Control

                            Impact

                            Resource Development

                            Reconnaissance

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              ad4133086f0f9a6b654df50b515893b0

                              SHA1

                              6d011a7a7ca109398d80f6a5e47cb46267eeab00

                              SHA256

                              be05131b70b8cbb9f2286264e903a99a26ca7e14cce6b6b84c6cb4b6e0ed4f26

                              SHA512

                              a8f934f07a4ecd28613fb844c10e578a561c49a2241027a59499f3be512cb4fde12f51013cd512d10c8d6cc6e7a8fb1a3771122ef340ae691b5024833fed9c41

                              Download Submit
                            • C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
                              Filesize

                              120KB

                              MD5

                              479d30cd484920e686388641718edc53

                              SHA1

                              c7040a1893168c204c759280d9671b0b58890c8c

                              SHA256

                              e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601

                              SHA512

                              e499941a4f0f0764ab7493f3f7aa588473409881aa4564a9939cfd60232bd1de672ecfc099d6712fa1eb4da272855f92c95fdf610f688c81894a6258cd3dd51d

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\Cab236A.tmp
                              Filesize

                              68KB

                              MD5

                              29f65ba8e88c063813cc50a4ea544e93

                              SHA1

                              05a7040d5c127e68c25d81cc51271ffb8bef3568

                              SHA256

                              1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                              SHA512

                              e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\Tar238D.tmp
                              Filesize

                              177KB

                              MD5

                              435a9ac180383f9fa094131b173a2f7b

                              SHA1

                              76944ea657a9db94f9a4bef38f88c46ed4166983

                              SHA256

                              67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                              SHA512

                              1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

                              Download Submit
                            • C:\Users\Admin\AppData\Local\lbdd1brp2p\p.dat
                              Filesize

                              4B

                              MD5

                              53b354612d26628e73986a80e254864e

                              SHA1

                              2bafcab69af7cc122e0243be50dbbfcc3da9c224

                              SHA256

                              a78a64d5caf8a0e1b3cad794c225ddd57deb2ffaf39a4d73e9973203aec7d022

                              SHA512

                              02f4aea7af181d477db51a7390671d7bccca88e30e68c7b91029cc70390c1870b6c6e377337cfb77e78ceed78aad932f37bb1a7462db22ea6c7131f192bc5103

                              Download Submit
                            • memory/2008-0-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2008-1-0x0000000000150000-0x0000000000174000-memory.dmp
                              Filesize

                              144KB

                              Download
                            • memory/2008-2-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
                              Filesize

                              9.9MB

                              Download
                            • memory/2008-5-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
                              Filesize

                              9.9MB

                              Download
                            • memory/2704-9-0x0000000001180000-0x00000000011A4000-memory.dmp
                              Filesize

                              144KB

                              Download